[wplug] howto advertise all ports as open

Alexandros Papadopoulos apapadop at cmu.edu
Sat Mar 29 16:02:36 EST 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi list!

I've come across the idea of having a machine overwhelm an attacker by 
presenting *all* ports as listening/open. Unfortunately I haven't found 
anything like a kernel module that can emulate this behavior, and sure 
enough, it can only be implemented at the kernel level, as it involves 
IP stack trickery.

Example: I run a client machine with no listening ports, but as a 
"public service" (or just for fun) I employ this nice module (if I ever 
find it...) that tricks port scanners into believing that all my well 
known ports (anything in /etc/services) are open. The attacker/script 
thinks they hit the jackpot, and proceed to spend many hours banging on 
my machine with probes/exploits, only to have absolutely nothing 
happen. No RSTs, no ECHO replies, no handshakes. Everything vanishes in 
a black hole (netfilter DROP). The attacker quits in frustration.

Does anyone know of such a module?

Thanks

- -A
- -- 
http://andrew.cmu.edu/~apapadop/pub_key.asc
3DAD 8435 DB52 F17B 640F  D78C 8260 0CC1 0B75 8265
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+hgnsgmAMwQt1gmURAr1lAJwKE5HJJqIABDxEC1qpATFm5GznvQCfUH2i
YbkDq4byzPSJl9HSOAV6m/8=
=Eu2g
-----END PGP SIGNATURE-----




More information about the wplug mailing list